IPSec, VPN, architecture (wireless security tutorial - part 3)

IPSec, VPN, architecture (wireless security tutorial - part 3)

﻿

IPSec, VPN, and wireless architecture are the words that take wireless network security to the next level. Securing your wireless network is as important as having a good lock on your office door. Getting data or services from unsecured (open) networks is very easy, and breaking into WEP secured networks is fairly accomplishable.

The current wireless security WPA and WPA2 standards provide relatively good security layer; however, it is only a matter of time before the community of hackers develops approaches to get into WPA networks as well.

IPSec, VPN, and sound wireless network architecture are other approaches to make your office and business more secure.

We have talked about WEP and WPA security in the first and second part of this tutorial:

In addition to choosing the most advanced security protocol, network specialists often employ many other features and measures. Some of them are listed on this page.

Encrypted tunneling protocols

The use of encrypted tunneling protocols (for example IPSec, Secure Shell) can provide secure data transmission through the use of cryptographic security services. These security measures are active steps taken at the IP protocol layer supported today by cores of operating systems. Enabling tunneling protocols can have some effect on the network performance; however, it is relatively cheap given the benefit.

For IPsec to work, the sending and receiving devices must share a public key which may seem to be the same drawback as in the case of WEP. Tunneling protocols are however one step smarter. They provide mechanisms which allow the wireless client to obtain a public key and authenticate the sender using digital certificates. Implementing digital certificates into your security seems like a good way to go since they represent very easily manageable but also very secure tools.

Is there a problem with IPSec? IPSec has some limitations in wireless networks. It can be successfully used only in settings where we have control over all the wireless clients; we know who will connect to us. IPSec is not applicable to general public WLANs because many computers on a network do not support IPSec and are not managed. To use IPSec to help secure traffic sent over 802.11 wireless networks, the network administrator must ensure that client computers and servers support IPSec. Configuration management and trust are also required on client computers and servers when IPSec is used. Proper configuration of routers, firewalls, or other filtering devices also plays an important role in IPSec.

Deployment of IPSec policy in an Active Directory environment requires Windows Server 2003, Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, or Windows Vista clients. Windows XP Home is not supported because of the involvement of Active Directory. Windows Vista Home has some limited support of IPSec through its IPSec Policy Agent. A mix of clients using different operating system is known to cause compatibility issues.

VPN security (Virtual Private Network)

Virtual Private Network (VPN) technology can control which users outside of the network system have access to it. A VPN is nothing more than a gateway to the network which authorized users have to pass through before they can access any part of the network, wired or otherwise.

Large corporations often use CITRIX as a gateway into their networks. Microsoft Terninal Services can also be used in some cases.

Combined with MAC addressing and WPA or even tunneling protocols, VPN can make the wireless network secure.

Wireless architecture

Another way to control wireless security is to make it unavailable to outside users. When designing your wireless network and placement of wireless access points, it is a good idea to space them around your company building and offices so that users inside the building can reach your wireless signal but anyone outside the building (for example in the parking lot) is not able to reach your signal. (See the How to choose the right wireless router? page for more details.)

This can be accomplished through using wireless access points with the correct signal output strength and their correct placement around the building. Access points with so-called directional antennas are also very beneficial -- they can be used to send the signal in desired direction. Some high-security buildings are built with protective shielding inside walls and a special glass in windows that limits how much wireless signal can get through.

Is there something else I need to know?

Tunneling protocols and VPN is not something an average Joe would do in his back yard. If you are running a small business or home network, you might be interested in reading the next page which talks about many practical tips: Secure your WLAN (wireless security tutorial - part 4).

(The table bellow shows a list of 8 most recent topics posted in our discussion forum. Visit our discussion forum to see more. It is possible the links below are not related to this page, but you can be certain you will find related posts in the discussion forum. You can post one yourself too.)

One necessary device in the wireless local area network is the wireless access point, also often called wireless router. When making a selection regarding a wireless access point or a wireless router, we need to consider several parameters. So, what to consider when buying a wireless router? ...